I have just discovered in verbose Postfix logs on my mail server, that "start-tls: tls-only" option is in fact TLS via deprecated SMTPS on port 465, not STARTTLS.

The problem is that RouterOS can't send correct addres with EHLO command, thus all e-mails sent form my RB are rejected by SMTP policy:

See my mail log:

May 9 22:08:47 ubuntu postfix/smtpd[2570]: generic_checks: name=reject_invalid_helo_hostname
May 9 22:08:47 ubuntu postfix/smtpd[2570]: reject_invalid_hostaddr: [::]
May 9 22:08:47 ubuntu postfix/smtpd[2570]: NOQUEUE: reject: RCPT from some.domain.name.com[1.2.3.4]: 501 5.5.2 <[::]>: Helo command rejected: invalid ip address; from=<abc@abc.com> to=<abc@abc.com> proto=ESMTP helo=<[::]>
May 9 22:08:47 ubuntu postfix/smtpd[2570]: generic_checks: name=reject_invalid_helo_hostname status=2
May 9 22:08:47 ubuntu postfix/smtpd[2570]: > some.domain.name.com[1.2.3.4]: 501 5.5.2 <[::]>: Helo command rejected: invalid ip address

Temprorary fix for this issue is to disable reject_invalid_helo_hostname policy on Postfix.

The same problem is in "start-tls: on" mode (where port is set to 587). In this mode RouterOS use real STARTTLS but still incorrect address is sent with EHLO command: EHLO [::]


Please fix this HELO issue in next RouterOS release.